Nmap Announce mailing list archives
Re: Scanning hosts connecting to a linuxbox.
From: Kevin Littlejohn <darius () connect com au>
Date: Sat, 13 Feb 1999 07:41:27 +1100
A warning for people planning on doing this: Please please please only fire off counter-attacks in situations where you have a tcp connection (ie completed handshake) between you and the remote host - or in preference, don't fire the damned thing off in the first place. It's firstly far too easy to scan from a spoofed address, and trigger your machine into attacking an innocent host (at which point you get hauled up in front of the firing squad ;), and secondly a huge number of scans/attacks come from compromised third party machines - you're usually going to be attacking a machine the cracker considers expendable (after all, whose going to do something as noisy as a scan from a valuable machine?) Automate dropping yourself an email, sure. Automate dropping the remote admin an email, yeah, that's reasonable - if nothing else it'll put the fear of god into any cracker watching the admin mailbox on that machine. Automated scans and attacks are way easily abused by third parties... KevinL (on behalf of harassed admins everywhere *grin*)
Rasmus Andersson wroteInteresting thought. I don't want to hack the kernel, so how about letting ipfwadm log to syslog facility (with -o ) and just watch the logs (to "kern" facility) with a Perl script or whatever? A log entry looks like this: Jan 19 18:11:49 idefix kernel: IP fw-in rej eth0 UDP 23.4.5.23:4924 123.4.5.6:2049 L=112 S=0x00 I=30795 F=0x0000 T=128 So we might cut out the source address, check if it's worth scanning (i.e. not an RFC 1918 or localhost or something, and not one of our friends) and just hit it. Thanks for giving me the idea. Also, if he is obviously a very bad guy (checking for netbus or something) we could fire off Patriot missiles on him :-) The watcher script could set some environment variables (source address, destination port etc.) and call another script where we do the nmap scans and whatever we want. A check should be done so not doing it twice on the same target within a given time. Ouch... there goes my weekend :) /Rasmus
Current thread:
- Scanning hosts connecting to a linuxbox. Mike A. Harris (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Rasmus Andersson (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. Max Vision (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. ace24 (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
- RE: Scanning hosts connecting to a linuxbox. Dragos Ruiu (Feb 13)
- <Possible follow-ups>
- RE: Scanning hosts connecting to a linuxbox. Brown, Mark (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Chris St. Clair (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Bryan Seitz (Feb 15)